CODEWITHSUNDEEP
sslapache2apache2.4
nlta
nlta

Reputation: 1914

Sharing SSL Configuration between apache virtualhosts serving different domains

I have a virtual host for each domain apache2 is serving.

Something like /etc/apache2/sites-available/1.conf

<VirtualHost *:443>
    ServerName xyz.com
    ServerAlias www.xyz.com
    SSLEngine on
    SSLCertificateFile /etc/.../cert.pem
    SSLCertificateKeyFile /etc/.../privkey.pem
    SSLCertificateChainFile /etc/.../chain.pem
</VirtualHost

<VirtualHost *:443>
    ServerName qwert.com
    ServerAlias www.qwert.com
    SSLEngine on
    SSLCertificateFile /etc/.../cert.pem
    SSLCertificateKeyFile /etc/.../privkey.pem
    SSLCertificateChainFile /etc/.../chain.pem
</VirtualHost

I want to add some SSL settings specifying cipher suite and allowed TLS versions in a way that they are shared between all SSL enabled sites. That way I can change them centrally instead of editing every single vhost.

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

How can I do this centrally?

Upvotes: 1

Views: 834

Answers (2)

simUser
simUser

Reputation: 840

Alternatively you can put you SSL config into a file and include just that file in every vhost.

Fortunately the Letsencrypt guys have already created such a file for you: search for options-ssl-apache.conf

locate options-ssl-apache.conf

example include

<VirtualHost ...>
   Include /etc/letsencrypt/options-ssl-apache.conf
   ...
</VirtualHost>

Finally here is their example file, the letsencrypt way of making https more secure:

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off

SSLOptions +StrictRequire

Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

this config resulted in an A+ at https://www.ssllabs.com/ssltest/

Upvotes: 1

nlta
nlta

Reputation: 1914

Apache provides the Define directive which defines variables that you can use elsewhere.

At the top of my /etc/apache2/apache.conf I define all the SSL settings I want centralized.

Define honor_ssl_cipher_order on
Define ssl_protocol "all -SSLv2 -SSLv3"
Define ssl_cipher_suite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

Then in each virtual host I can

<VirtualHost *:443>
...
        SSLProtocol ${ssl_protocol}
        SSLHonorCipherOrder ${honor_ssl_cipher_order}
        SSLCipherSuite "${ssl_cipher_suite}"
</VirtualHost>

Upvotes: 1

Related Questions